DeepAgents CLI 0.1.1 Adds the Container Host Flag That Separates Local Agent Dev From Accidental Exposure
DeepAgents CLI 0.1.1 is a one-flag release, which makes it a useful test of whether we are paying attention to the right things. The new flag is --host for deepagents dev. It defaults to 127.0.0.1 and can be set to 0.0.0.0 when developing inside containers. That is not glamorous. It is also exactly the kind of boundary agent tooling needs to make explicit.
LangChain published deepagents-cli==0.1.1 on May 18. The release body is short: “Add --host option to deepagents dev command” via PR #3444. The PR was merged earlier the same day with 49 additions and one deletion across two files. It forwards the value to langgraph dev --host.
The motivating issue, #3431, was opened by Kevin Pedretti on May 16. The request was practical: containerized development needs the dev server to bind beyond loopback so the host machine can reach it. Without deepagents dev --host 0.0.0.0, developers have to work around the CLI. Workarounds around network binding are where good defaults often go to die.
Localhost is a security feature, not just a default
A host-binding flag sounds like ordinary developer ergonomics until you remember what a modern agent dev server can expose. This is not a static documentation preview. Deep Agents is documented as an agent harness built on LangChain and LangGraph, with task planning, file systems for context management, subagent spawning, long-term memory, durable execution, streaming, and human-in-the-loop support. The repository includes Deep Agents SDK, Deep Agents Code, and ACP integration for editors like Zed. Deep Agents Code is positioned as a terminal coding agent similar to Claude Code or Cursor, powered by any LLM.
That means a dev server can sit next to running sessions, tool definitions, file-system backends, traces, approval surfaces, MCP integrations, and sometimes shell-capable sandbox execution. Binding that surface to 127.0.0.1 is not a random default. It is a safety posture. Binding it to 0.0.0.0 may be necessary in a container, but it should be an explicit decision that makes the boundary visible.
The release gets that shape right. The default remains local-only. The escape hatch exists for Docker, remote development, and other containerized setups. The CLI does not silently broaden exposure just because someone needs the thing to work. That is the difference between developer experience and developer experience with adult supervision.
At research time, langchain-ai/deepagents had roughly 22,928 stars, 3,237 forks, 157 open issues, and had been pushed after the release. That level of interest matters because Deep Agents is not merely a library surface. It is part of the broader coding-agent and agent-harness conversation, where developers run tools inside real repositories, connect model providers, allow file edits, execute tests, and wire agents into editors and terminals.
Container ergonomics can become accidental exposure
The container use case is legitimate. Agent runtime stacks are messy: model SDKs, browser tools, sandbox backends, Python and Node packages, MCP servers, provider credentials, vector stores, filesystem mounts, and editor bridges. Teams increasingly develop them in containers or remote environments to keep host machines clean and make onboarding repeatable.
But container networking has a habit of turning “make it reachable from my laptop” into “make it reachable from more places than I intended.” 0.0.0.0 inside a container is not automatically bad. It is context-dependent. Paired with a carefully published port on a local Docker network, it may be exactly right. Paired with broad host networking, a shared remote VM, or a poorly firewalled dev box, it can expose an agent runtime to other users or machines.
That exposure matters more for agent tools than for many traditional dev servers. A web-app hot reload server may leak source code or session state. An agent dev server may expose an interface connected to tools that can read files, call external services, operate on credentials, or launch sandboxed shell commands. The risk is not that the model will become malicious because the port is open. The risk is that the runtime already has capabilities, and the network boundary decides who can reach them.
Deep Agents’ own documentation uses the right framing: it follows a “trust the LLM” model, where the agent can do anything its tools allow. Boundaries must be enforced at the tool and sandbox layer, not by expecting the model to self-police. Host binding belongs in that same bucket. It is one of the physical controls around an agent’s capabilities.
The CLI split makes the plumbing more important
This release also lands right after LangChain’s recent Deep Agents product split, where deepagents-cli==0.1.0 removed the interactive TUI and coding-agent surface and pointed users toward deepagents-code. That matters because it clarifies the job of the CLI. The coding-agent product can optimize for interactive workflows. The CLI should make runtime behavior explicit, scriptable, and boring.
Forwarding --host to langgraph dev fits that job. It aligns Deep Agents development with LangGraph’s underlying server behavior instead of forcing users to guess where the binding decision lives. It also avoids the common framework smell where a high-level CLI wraps a lower-level tool but forgets to expose the operational switches production-minded developers actually need.
There is a useful lesson for the broader coding-agent market here. Comparisons between Claude Code, Codex, Cursor, Deep Agents Code, and similar tools tend to focus on model quality, editing ability, context handling, and UI ergonomics. Those matter. But the runtime details matter too: host binding, filesystem scopes, sandbox backends, shell permissions, MCP server access, human-approval rules, and trace visibility. The best coding agent is not just the one that writes better diffs. It is the one whose boundaries you can inspect before you give it your repository.
For practitioners, the checklist is simple. Keep the default loopback binding for ordinary local work. Use --host 0.0.0.0 only when you understand the container and network path. Prefer explicit port publishing over broad host networking. Do not mount sensitive home directories into agent sandboxes by default. Treat shared remote development machines as shared infrastructure, not personal laptops. Document who can reach the dev server and what tools the agent can use once they do.
If you are evaluating Deep Agents Code against Claude Code, Cursor, Codex-style flows, or other terminal agents, add this category to the review: can the tool explain its runtime boundary without making you read source code? DeepAgents CLI 0.1.1 is not a major feature release. It is a small sign that LangChain is making containerized agent development explicit instead of relying on accidental network behavior. That is worth more than another demo video.
Sources: DeepAgents CLI 0.1.1 release, DeepAgents PR #3444, DeepAgents issue #3431, Deep Agents docs